W32/Sasser-F

Discussion in 'malware problems & news' started by Marianna, May 11, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    Worm.Win32.Sasser.a, W32.Sasser.Worm, W32/Sasser.worm.f

    Type
    Win32 worm

    Description
    W32/Sasser-F is a network worm which spreads by exploiting a Microsoft
    LSASS vulnerability.
    The worm copies itself to the Windows folder as NAPATCH.EXE and sets the
    following registry entry to auto-start on user logon:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    nvpatch = napatch.exe

    W32/Sasser-F attempts to connect to random IP addresses on ports TCP/445
    and TCP/9996 and then exploit the LSASS vulnerability. If successful an FTP
    script is uploaded to and executed on the remote computer which then connects back on port 5554 to download a copy of the worm via FTP.

    W32/Sasser-F may cause the program LSASS.EXE to terminate which generally
    prompts Windows to shutdown and reboot. However W32/Sasser-F attempts to prevent a system shutdown.

    http://www.sophos.com/virusinfo/analyses/w32sasserf.html
     
Thread Status:
Not open for further replies.